Twitter goofs up, and sends out mass password reset to users

If you received an email like this, would you believe it's legitimate or not?

Twitter password reset email

Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We've reset your password to prevent others from accessing your account.

You'll need to create a new password for your Twitter account. You can select a new password at this link:

[Reset password.]

As always, you can also request a new password.

Please don't reuse your old password and be sure to choose a strong password (such as one with a combination of letters, numbers, and symbols).

Any security-savvy person should be cautious of automatically clicking on the links, of course, just in case the email had been sent out by online criminals attempting to phish your Twitter credentials.

But, in this case, just in case you think it was a phishing message, let me reassure you. The email *did* come from Twitter HQ, but it *wasn't* legitimate.

Huh? How's that possible?

Well, because Twitter sent out the message by mistake in the last few hours to many users.

TechCrunch reports that Twitter has issued a short statement, acknowledging its error.

We unintentionally sent some password reset notices tonight due to a system error. We apologize to the affected users for the inconvenience.

Twitter passwordIn short, Twitter had a bug in its code or (more likely) human error caused the messages to be sent out by mistake.

Ironically, Twitter was trying to help. The service - like some other online sites - attempts to better protect its users by determining when users might have fallen victim to hacks that exposed passwords on *other* websites, and reset credentials when it believes the user may have used the same (now unsafe) password on Twitter.

But, of course, it got it wrong this time.

There is no indication as to exactly how many Twitter users received the messages, or what caused the social network to send out the erroneous messages, but there are certainly plenty of users who tweeted their concerns.

At the very least, lets hope that those who did act upon Twitter's alert reset their password to a stronger, harder-to-crack one that they are not using anywhere else on the net.

I would also like to think that at least some of the users will have taken advantage of Twitter's two factor authentication service for better security at the same time.

There is, of course, still something that we all need to worry about here aside from the gremlins in Twitter's systems that lead to this problem in the first place.

Users can easily become complacent about genuine security warnings if they start to be sent out by firms by accident, meaning that popular websites like Twitter cannot afford to make too many mistakes like this.

Tags: , ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, ,

No comments yet.

Leave a Reply